b'-   February 2, 2005\n\n\n\n\nAcquisition\nImplementation\nand Information Assurance Policies\nfor Acquisition of Navy Systems\n(D-2005-033)\n\n\n\n\n               Department of Defense\n           Office of the Inspector General\nQuality                Integrity       Accountability\n\x0cAdditional Copies\n\nTo obtain additional copies of this report, visit the Web site of the Inspector\nGeneral of the Department of Defense at http://www.dodig.osd.mil/audit/reports or\ncontact the Secondary Reports Distribution Unit, Audit Followup and Technical\nSupport at (703) 604-8937 (DSN 664-8937) or fax (703) 604-8932.\n\nSuggestions for Future Audits\n\nTo suggest ideas for or to request future audits, contact Audit Followup and\nTechnical Support at (703) 604-8940 (DSN 664-8940) or fax (703) 604-8932.\nIdeas and requests can also be mailed to:\n\n                 ODIG-AUD (ATTN: AFTS Audit Suggestions)\n                 Inspector General of the Department of Defense\n                       400 Army Navy Drive (Room 801)\n                           Arlington, VA 22202-4704\n\x0c                            INSPECTOR GENERAL\n                            DEPARTMENT OF DEFENSE\n                              400 ARMY NAVY DRIVE\n                         ARLINGTON, VIRGINIA 22202-4704\n\n                                                                        February 2,2005\n\nMEMORANDUM FOR ASSISTANT SECRETARY OF DEFENSE FOR NETWORKS\n                 AND INFORMATION lNTEGRATION/CHIEF\n                 INFORMATION OFFICER\n               NAVAL INSPECTOR GENERAL\nSUBJECT: Report on Implementation of Interoperability and Information Assurance\n         Policies for Acquisition of Navy Systems (Report No. D-2005-033)\n\n        We are providing this report for review and comment. We considered\nmanagement comments from the Deputy Assistant Secretary of the Navy for Command,\nControl, Communications, Computers, Intelligence and Space on a draft of this report\nwhen preparing the final report. This report is the third in a series of reports that\ndiscusses the implementation of interoperability and information assurance policies for\nthe acquisition of DoD systems. This report addresses the implementation of those\npolicies within the Navy.\n        DoD Directive 7650.3 requires that all recommendations be resolved promptly.\nThe Assistant Secretary of Defense for Networks and Information IntegratiodChief\nInformation Officer did not provide comments; therefore, Recommendations A. 1. and\nA.2. remain unresolved. We request that the Assistant Secretary of Defense for Networks\nand Information IntegratiodChief Information Officer provide comments on this final\nreport that conform to the requirements of DoD Directive 7650.3 by March 2,2005. No\nfurther comments are required from the Navy.\n       If possible, please send management comments in electronic format (Adobe\nAcrobat file only) to Audam@dodi~.osd.mil.Copies of the management comments must\ncontain the actual signature of the authorizing official. We cannot accept the / Signed /\nsymbol in place of the actual signature. If you arrange to send classified comments\nelectronically, they must be sent over the SECRET Internet Protocol Router Network\n(SIPRNET).\n       We appreciate the courtesies extended to the staff. Questions should be directed\nto Ms. Kathryn M. Truex at (703) 604-8966 (DSN 664-8966) or Mr. Robert L. Shaffer at\n(703) 604-9043 (DSN 664-9043). See Appendix C for the report distribution. The team\nmembers are listed inside the back cover.\n                              By direction of the Deputy Inspector General for Auditing:\n\n\n\n\n                                     Assistant Inspector General\n                             for Acquisition and Technology Management\n\x0c          Office of the Inspector General of the Department of Defense\nReport No. D-2005-033                                                  February 2, 2005\n   (Project No. D2004AL-0011)\n\n   Implementation of the Interoperability and Information Assurance\n               Policies for Acquisition of Navy Systems\n\n                                Executive Summary\n\nWho Should Read This Report and Why? Civilian and military managers who are\nresponsible for interoperability and information assurance requirements of Navy systems\nshould read this report because it addresses the importance of adhering to DoD\ninteroperability and information assurance policies to reduce the risk of Navy systems not\nbeing interoperable and being unable to exchange information in a secure manner with\nother DoD and allied systems.\n\nBackground. This report is the third in a series of reports on the implementation of\ninteroperability and information assurance policies for the acquisition of DoD systems.\nThis report addresses the implementation of those policies within the Navy. The first\nreport addressed the implementation of those policies within the Office of the Secretary\nof Defense and the Defense agencies. The second report addressed how effectively the\nArmy implemented those policies. The fourth report will address how effectively the Air\nForce implemented those policies.\n\nResults. The Navy had not implemented DoD policy to populate and maintain the\ninventory of Global Information Grid assets. As a result, all applicable Navy sensors,\nweapon systems, and business systems will not be included in the DoD enterprise-wide\ninventory of Global Information Grid assets, and DoD will not be able obtain the\ninformation superiority necessary for the Services to accomplish their assigned missions\neffectively and efficiently. The Assistant Secretary of Defense for Networks and\nInformation Integration needs to prepare and staff a DoD Directive that specifies the\ntypes of systems and system information capabilities to be included in the inventory of\nGlobal Information Grid assets and the responsibilities of the DoD Components to\npopulate and maintain it (finding A).\n\nThe Navy had not fully implemented interoperability policies to prepare or update\nrequired acquisition documents. Without documents that address interoperability,\ncapability, and supportability, DoD cannot be assured that its systems will be compatible\nwith existing systems, will meet the information needs of U.S. forces, or be interoperable\nwith proposed systems. The Chief of Naval Operations in coordination with the Assistant\nSecretary of the Navy (Research, Development and Acquisition) and the Deputy\nAssistant Secretary of the Navy Command, Control, Communications, Computers,\nIntelligence and Space should require system program managers to obtain Joint Staff J-6\ncertification for a system\xe2\x80\x99s interoperability requirements, to prepare and use information\nsupport plans for all systems throughout the life of the system, and to prepare system\nsecurity authorization agreements for systems that are subject to the DoD Information\nTechnology Security Certification and Accreditation Process (finding B). See the\nFindings section of the report for the detailed recommendations.\n\x0cManagement Comments and Audit Response. The Assistant Secretary of Defense for\nNetworks and Information Integration/Chief Information Officer did not comment on the\nDecember 17, 2004, draft report. Therefore, we request that the Assistant Secretary of\nDefense for Networks and Information Integration/Chief Information Officer provide\ncomments on this final report by March 2, 2005. The Deputy Assistant Secretary of the\nNavy for Command, Control, Communications, Computers, Intelligence and Space\nconcurred with the findings and recommendations. See the Findings section of the report\nfor a discussion of the management comments and the Management Comments section of\nthe report for the complete text of the comments.\n\n\n\n\n                                          ii\n\x0cTable of Contents\n\nExecutive Summary                                        i\n\nBackground                                               1\n\nObjectives                                               2\n\n\nFindings\n     A. Implementing Global Information Grid Policies    3\n     B. Implementing Interoperability Policies           8\n\nAppendixes\n     A. Scope and Methodology                           17\n         Prior Coverage                                 17\n     B. Navy Programs Surveyed                          19\n     C. Report Distribution                             20\n\nManagement Comments\n     Department of the Navy                             23\n\x0cBackground\n    This report is the third in a series of reports on DoD implementation of\n    interoperability and information assurance policies for the acquisition of DoD\n    systems. This report addresses the Navy\xe2\x80\x99s implementation of those policies on\n    the inventory for Global Information Grid assets and the provision of the required\n    documentation.\n\n    Chairman of the Joint Chiefs of Staff Testimony on the President\xe2\x80\x99s Proposed\n    Defense Program for Fiscal Year 2005. On February 4, 2004, General Pace, the\n    Vice Chairman of the Joint Chiefs of Staff, testified before the U.S. House of\n    Representatives Committee on Armed Services. General Pace described how\n    information sharing is critical for planning and executing military operations. He\n    testified that:\n           Since this is a global war requiring an international effort, we must also\n           improve coalition command and control capabilities, and consolidate\n           the numerous networks that exist today. These disparate networks\n           hinder our ability to plan in a collaborative environment and exercise\n           timely and effective command and control with our multinational\n           partners.\n\n           We must also review policies and implementing technology that\n           safeguard our vital sensitive information while ensuring critical\n           operational information is shared with all those who fight beside us.\n           JFCOM [Joint Forces Command] has been tasked to take the lead in\n           identifying specific multinational information sharing requirements and\n           recommending policy changes. Our goal is to establish a multinational\n           family of systems with common standards as part of the Global\n           Information Grid enterprise services. I view this as a top priority and\n           ask for Congressional support- information sharing with our allies is\n           critical to winning the War on Terrorism.\n\n    Top Ten Priorities. The Secretary of Defense issued a list of the top ten DoD\n    priorities for August 2003 through December 2004. One of those priorities is to\n    strengthen joint warfighting capabilities to develop joint concepts to integrate air,\n    land, and sea operations, and to strengthen joint exercises and joint training.\n    Strengthening joint warfighting capabilities will enhance interoperability and\n    communication among warfighters.\n\n    Joint Operations Concepts. In November 2003, the Secretary of Defense issued\n    the Joint Operations Concepts, which describes the overarching concept for\n    conducting future joint military operations. The Joint Operations Concepts\n    provided the operational concept for transforming the Armed Forces to achieve\n    joint force capabilities. The Joint Operations Concepts states that the joint force\n    will leverage technology to provide actionable, precise, and \xe2\x80\x9cfused\xe2\x80\x9d intelligence\n    at all levels of war to facilitate decision superiority. To facilitate decision\n    superiority, the joint force must gain and maintain information superiority.\n    Achieving these capabilities will require a singular battlespace networked to\n    enable continuous and collaborative campaign planning and an adaptive\n    command and control organization. Upon achieving decision superiority, the\n\n\n                                               1\n\x0c    joint force can defeat any adversary or control any situation across the full range\n    of military operations when the joint force is integrated and networked and\n    interoperable with interagency and multinational partners.\n\n    Scope of Navy Programs Surveyed. We judgmentally selected and reviewed\n    40 Navy programs from the Office of the Secretary of Defense Test and\n    Evaluation Oversight List for 2003. We sent a questionnaire to each program\n    office to survey their awareness of interoperability and information assurance\n    requirements and to determine whether their system was part of the inventory for\n    Global Information Grid assets. Appendix B lists the Navy programs surveyed.\n    We also requested program offices to provide the following documents:\n\n           \xe2\x80\xa2   operational requirements document;\n\n           \xe2\x80\xa2   command, control, communications, computers, and intelligence\n               support plan;\n\n           \xe2\x80\xa2   test and evaluation master plan; and\n\n           \xe2\x80\xa2   system security authorization agreement.\n\n    Overall Audit Project. This project is a continuation of work reported in\n    Inspector General of the Department of Defense Report No. D-2003-011,\n    \xe2\x80\x9cImplementation of Interoperability and Information Assurance Polices for\n    Acquisition of DoD Weapon Systems,\xe2\x80\x9d October 17, 2002, which addressed\n    whether the Office of the Secretary of Defense and DoD agencies were effectively\n    implementing DoD interoperability and information assurance policies. Report\n    No. D-2004-008, \xe2\x80\x9cImplementation of Interoperability and Information Assurance\n    Policies for Acquisition of Army Systems,\xe2\x80\x9d October 15, 2003, addressed the\n    adequacy of interoperability and information assurance requirements for Army\n    systems. Concurrent with this audit, another review is assessing how effectively\n    the Air Force is implementing DoD interoperability and information assurance\n    policies.\n\n\nObjectives\n    The primary audit objective was to evaluate whether the Navy was effectively\n    implementing DoD interoperability and information assurance policies.\n    Specifically, the audit determined whether the Navy was effectively identifying\n    system interoperability and information assurance requirements in the\n    requirements generation process. See Appendix A for a discussion of the audit\n    scope and methodology and prior coverage related to the audit objectives.\n\n\n\n\n                                          2\n\x0c           A. Implementing Global Information\n              Grid Policies\n           The Navy had not implemented DoD policy to populate and maintain the\n           inventory for Global Information Grid assets because DoD guidance is not\n           clear on the types of systems and system information capability\n           requirements that should be included. As a result, all applicable Navy\n           sensors, weapon systems, and business systems will not be included in the\n           DoD enterprise-wide inventory of Global Information Grid assets, and\n           DoD will not be able obtain the information superiority necessary for the\n           Services to accomplish their assigned missions effectively and efficiently.\n\n\nGuidance\n    Federal Information Security Management Act of 2002. On December 17,\n    2002, the President signed the E-Government Act of 2002 (Public Law 107-347)\n    that included Title III, \xe2\x80\x9cFederal Information Security Management Act of 2002.\xe2\x80\x9d\n    Section 305 of the Act, \xe2\x80\x9cTechnical and Conforming Amendments,\xe2\x80\x9d requires DoD\n    to develop and maintain an inventory of major information systems, including\n    major national security systems, operated under its control. Section 301,\n    Subchapter III, section 3542, \xe2\x80\x9cDefinitions,\xe2\x80\x9d states that national security systems\n    include information systems used or operated by an agency or contracted by an\n    agency, the function, operation, or use of which involves intelligence activities,\n    cryptologic activities related to national security, command and control of\n    military forces, equipment that is an integral part of a weapon or weapon system,\n    or is critical to direct fulfillment of military or intelligence missions.\n\n    Public Law 105-261. Section 2223, title 10, United States Code, chapter 131,\n    \xe2\x80\x9cInformation Technology: Additional Responsibilities of Chief Information\n    Officers,\xe2\x80\x9d October 17, 1998, requires the DoD Chief Information Officer to\n    maintain a consolidated inventory of DoD mission-critical and mission-essential\n    information systems, identify interfaces between those systems and other\n    information systems, and develop and maintain contingency plans for responding\n    to a disruption in the operation of any of those information systems.\n\n    DoD Directive 4630.5. DoD Directive 4630.5, \xe2\x80\x9cInteroperability and\n    Supportability of Information Technology (IT) and National Security Systems\n    (NSS),\xe2\x80\x9d May 5, 2004, updates DoD policy and responsibilities for interoperability\n    and supportability of system information technology, including national security\n    systems. The Directive requires the DoD Chief Information Officer to ensure the\n    development, implementation, and maintenance of the Global Information Grid\n    architecture in accordance with DoD Directive 8100.1.\n\n\n\n\n                                         3\n\x0cDoD Directive 8100.1. DoD Directive 8100.1, \xe2\x80\x9cGlobal Information Grid (GIG)\nOverarching Policy,\xe2\x80\x9d September 19, 2002, establishes policy and assigns\nresponsibilities for the configuration management and architecture of the Global\nInformation Grid. The Directive states that it is DoD policy that an\nenterprise-wide inventory of Global Information Grid assets shall be established\nand maintained. Further, the Directive requires the:\n\n       \xe2\x80\xa2   Under Secretary of Defense for Acquisition, Technology, and\n           Logistics to ensure that acquisition programs fully consider\n           documented Global Information Grid requirements and architecture;\n\n       \xe2\x80\xa2   Under Secretary of Defense (Comptroller) to collaborate with the DoD\n           Chief Information Officer, where necessary, to identify and coordinate\n           improvements to the identification and portrayal of information\n           technology resources to improve overall information technology\n           visibility;\n\n       \xe2\x80\xa2   DoD Components, including the Joint Chiefs of Staff and the Under\n           Secretary of Defense for Acquisition, Technology, and Logistics, to\n           populate and maintain their portions of the inventory for Global\n           Information Grid assets; and\n\n       \xe2\x80\xa2   Chairman of the Joint Chiefs of Staff to develop joint doctrine and\n           ensure that Chairman of the Joint Chiefs of Staff Instructions are\n           compatible with Global Information Grid policy and guidance.\n\nDoD Directive 8100.1 further states that the Global Information Grid includes any\nsystem, equipment, software, or service that meets one or more of the following\ncriteria:\n\n       \xe2\x80\xa2   transmits information to, receives information from, routes\n           information among, or interchanges information among other\n           equipment, software, and services;\n       \xe2\x80\xa2   provides retention, organization, visualization, information assurance,\n           or disposition of data, information, and/or knowledge received from or\n           transmitted to other equipment, software, or services; or\n\n       \xe2\x80\xa2   processes data or information for use by other equipment, software, or\n           services.\n\n\n\n\n                                    4\n\x0cInventory for Navy Global Information Grid Assets\n    The Navy had not implemented DoD policy to populate and maintain the\n    inventory for Global Information Grid assets.\n\n    Program Office Awareness of the Global Information Grid Policy. We\n    surveyed Navy program offices responsible for 40 systems and asked the program\n    officials whether they considered their systems to be part of the inventory for\n    Global Information Grid assets. Navy program office responses for 40 systems\n    were that:\n\n           \xe2\x80\xa2   19 of the systems were part of the inventory,\n           \xe2\x80\xa2   18 of the systems were not part of the inventory, and\n           \xe2\x80\xa2   3 Navy program offices were not sure whether their systems were part\n               of the inventory.\n\n    Systems, Equipment, Software, and Services not Designated as Global\n    Information Grid Assets. In response to our survey, Navy program offices\n    provided the following reasons why 11 of the18 systems were not reported as part\n    of the inventory for Global Information Grid assets.\n\n           \xe2\x80\xa2   1 system predated the Global Information Grid overarching policy,\n           \xe2\x80\xa2   9 systems communicated only with the host platform or were part of\n               another system, and\n           \xe2\x80\xa2   1 system was a weapon system.\n\n    Navy program offices did not explain why seven other systems--the F/A-18E/F\n    Super Hornet Naval Strike Fighter, CVN-68 Nimitz Class Nuclear-Powered\n    Aircraft Carrier, LPD-17 San Antonio Class Amphibious Transport Dock Ship,\n    T-AKE Auxiliary Cargo and Ammunition Ship, Tactical Control System,\n    KC-130J Hercules Tactical Aerial Refueler, and Integrated Electronic Defensive\n    Countermeasures--were not considered part of the inventory for Global\n    Information Grid assets. For example, the operational requirements document for\n    the F/A-18E/F includes interoperability as a performance parameter and program\n    officials stated that it will be certified for interoperability by the Joint\n    Interoperability Test Command; however, the program office did not consider the\n    F/A-18E/F to be a Global Information Grid asset.\n\n    Navy program offices were not sure whether three additional systems--the E-2C\n    Reproduction Hawkeye Airborne Early Warning Aircraft, the EX 171 Extended\n    Range Guided Munition, and the T-45TS Training Aircraft--should be part of the\n    inventory for Global Information Grid assets. For example, program officials for\n    the EX 171 Extended Range Guided Munition program office stated that they\n    thought their program should be part of the inventory for Global Information Grid\n    assets but did not know what action to take.\n\n\n\n\n                                        5\n\x0c     The E-2C Reproduction Hawkeye Airborne Early Warning Aircraft and the\n     RIM-162 Evolved Sea Sparrow Missile are national security systems and should\n     be Global Information Grid assets. The program office considered the\n     AN/BQQ-10 Acoustic Rapid Commercial-Off-The-Shelf Insertion, which is a\n     system included on a submarine, to be a Global Information Grid asset based on\n     the criteria in DoD Directive 8100.1. However, program officials did not\n     consider the AN/ALR-67(V)3 Advanced Special Receiver and the AN/SPY-\n     1D(V) Radar as Global Information Grid assets because they are part of another\n     system. Because a system communicates only with its host platform or is part of\n     another system may not be sufficient justification to exclude the system from the\n     inventory for Global Information Grid assets.\n\n     Need to Clearly Define Global Information Grid Asset Inventory Guidance.\n     The Navy had not implemented DoD policy on the Global Information Grid\n     because DoD guidance is not clear on the types of systems and system\n     information that should be included in the inventory. The criteria in DoD\n     Directive 8100.1, outlining which system, equipment, software, or service should\n     be included in the Global Information Grid, is so broad that virtually all Navy\n     systems should be included. Navy systems may meet one of the criteria for\n     inclusion in the Global Information Grid asset inventory, but they do not\n     necessarily contribute to a network-based way of fighting to achieve information\n     superiority, enable joint mission planning, and execute more timely military\n     operations and battlefield assessments. In addition, each Navy program office\n     may interpret the criteria differently in choosing which systems to include in the\n     inventory for Global Information Grid assets.\n\n\nEffect on Populating and Maintaining the Global Information\n  Grid Asset Inventory\n     Without a clearly defined policy on the types of systems and system information\n     capability requirements that should be included in the inventory for Global\n     Information Grid assets and how the inventory will be maintained, Navy program\n     offices may be incorrectly designating systems as Global Information Grid or\n     non-Global Information Grid assets. Therefore, DoD will not realize its goal of\n     including most sensors, weapon systems, and business systems into the Global\n     Information Grid to obtain information superiority for the Services to accomplish\n     their assigned missions.\n\n\nConclusion\n     Specific guidance needs to be issued on the types of systems and information\n     capability requirements that are necessary for a globally interconnected, end-to-\n     end, interoperable, and secure system-of-systems to meet the DoD joint\n     warfighting needs. With the necessary guidance, DoD will be able to concentrate\n     its resources on those systems that will meet its vision of collecting, processing,\n     storing, disseminating, and managing information on demand to warfighters,\n     policy makers, and support personnel.\n\n\n                                          6\n\x0cRecommendation and Management Comments\n    A. We recommend that the Assistant Secretary of Defense for Networks and\n    Information Integration/Chief Information Officer prepare and staff a DoD\n    Directive that specifies the:\n\n            1. Types of systems and system information capability requirements\n    to be included in the inventory for Global Information Grid assets.\n\n          2. Responsibilities of DoD Components in populating and\n    maintaining the inventory for Global Information Grid assets.\n\n    Management Comments Required. The Assistant Secretary of Defense for\n    Networks and Information Integration/Chief Information Officer did not provide\n    comments on the December 17, 2004, draft report. Therefore, we request the\n    Assistant Secretary of Defense for Networks and Information Integration/Chief\n    Information Officer provide comments on the final report by March 2, 2005.\n\n    Navy Comments. The Deputy Assistant Secretary of the Navy for Command,\n    Control, Communications, Computers, Intelligence and Space concurred that the\n    Department of the Navy has not implemented DoD policy to populate and\n    maintain the inventory for the Global Information Grid because DoD guidance\n    was not clear on the types of systems and system information capability\n    requirements that should be included. The Deputy Assistant Secretary stated that\n    the Department of the Navy Chief Information Officer has maintained a database\n    of mission essential and mission critical information technology systems,\n    including those in platforms and weapons systems. In addition, the Deputy\n    Assistant Secretary stated that the Chief Information Officer is involved in the\n    creation of the DoD Information Technology Program Repository that will\n    catalog systems and applications across the DoD and serve as the information\n    technology systems registry for DoD.\n\n\n\n\n                                        7\n\x0c           B. Implementing Interoperability Policies\n           The Navy did not fully implement interoperability policies to prepare or\n           update required acquisition documents because responsible Navy officials\n           did not ensure that system program offices identified interoperability\n           requirements and included those requirements in acquisition documents\n           throughout the life of the system. Without documents that address\n           interoperability, capability, and supportability, DoD cannot provide\n           assurance that systems being developed, acquired, and deployed meet the\n           information needs of U.S. forces, are interoperable with existing and\n           proposed systems, and are supported by the Global Information Grid.\n\n\nGuidance\n    DoD Policy. DoD Directive 4630.5, \xe2\x80\x9cInteroperability and Supportability of\n    Information Technology (IT) and National Security Systems (NSS),\xe2\x80\x9d\n    May 5, 2004, establishes the net-ready key performance parameter, which\n    replaced the interoperability key performance parameter and incorporated\n    net-centric concepts for achieving information technology and national security\n    system interoperability and supportability. The Directive requires DoD\n    Components to ensure that interoperability and supportability capabilities are\n    designed, developed, incorporated, tested, and evaluated for all their information\n    technology and national security systems. In addition, the Directive requires DoD\n    Components to develop procedures for the acquisition of all information\n    technology and national security systems and to document, manage, evaluate, and\n    report on interoperability, supportability, and sufficiency throughout a system\xe2\x80\x99s\n    life using an information support plan.\n\n    DoD Instruction 4630.8, \xe2\x80\x9cProcedures for Interoperability and Supportability of\n    Information Technology (IT) and National Security Systems (NSS),\xe2\x80\x9d June 30,\n    2004, states that DoD Components must develop an information support plan ,\n    which was formerly known as the command, control, communication, computers,\n    and intelligence support plan, for all acquisition programs to document the\n    program\xe2\x80\x99s interoperability, information, and support requirements and that it be\n    maintained throughout the acquisition life cycle. The Joint Interoperability Test\n    Command evaluates and certifies all acquisition information technology and\n    national security systems for interoperability. This report uses the term\n    \xe2\x80\x9ccommand, control, communication, computers, and intelligence support plan\xe2\x80\x9d\n    because programs reviewed during the audit usually provided command, control,\n    communication, computers, and intelligence support plans.\n\n\n\n\n                                        8\n\x0cThe Instruction requires the heads of the DoD Components to:\n\n       \xe2\x80\xa2   require the Chief Information Officer to ensure that the Component\n           complies with DoD Instruction 4630.8;\n\n       \xe2\x80\xa2   ensure that information support plans for all acquisition-category and\n           nonacquisition-category acquisitions are prepared;\n\n       \xe2\x80\xa2   identify and document in an information support plan a net-ready key\n           performance parameter for all acquisition-category, nonacquisition-\n           category, and fielded information technology and national security\n           system acquisitions;\n\n       \xe2\x80\xa2   submit the information support plan to the cognizant authority for\n           review and validation; and\n\n       \xe2\x80\xa2   ensure interoperability, supportability, and information assurance are\n           designed, developed, tested, evaluated, and incorporated into all DoD\n           Component information technology and national security systems.\n\nDoD Instruction 5000.2, \xe2\x80\x9cOperation of the Defense Acquisition System,\xe2\x80\x9d May 12,\n2003, states that, during system development and demonstration, the capabilities\ndevelopment document, which was formerly known as the operational\nrequirements document, will state the detailed operational performance\nparameters. Further, the Instruction states that the capabilities production\ndocument will state the operational requirements resulting from system\ndevelopment and demonstration and will detail the performance expected of the\nproduction system; however, this report uses the term \xe2\x80\x9coperational requirements\ndocument\xe2\x80\x9d because programs reviewed during the audit usually provided\noperational requirements documents.\n\nDoD Instruction 5200.40, \xe2\x80\x9cDefense Information Technology Security\nCertification and Accreditation Process (DITSCAP),\xe2\x80\x9d December 30, 1997, applies\nto all DoD Components and shall be used in the acquisition, operation, and\nsustainment of any DoD system that collects, stores, transmits, or processes\nunclassified or classified information. The Instruction applies to the life cycle of\nany information technology or information system, the development of new\nsystems, and the upgrade of existing and legacy systems. Further, the Instruction\nstates that the key to the Defense Information Technology Security Certification\nand Accreditation Process is the agreement between the information technology\nsystem program manager, the designated approving authority, the certification\nauthority, and the user representative to resolve critical schedule, budget, security,\nand performance issues. This agreement is documented in the system security\nauthorization agreement and is used to guide the certification and accreditation\nprocess. The system security authorization agreement establishes a binding\nagreement on the level of security required before system development or changes\nmay begin.\n\n\n\n\n                                      9\n\x0cJoint Staff Policy. Chairman of the Joint Chiefs of Staff Instruction 6212.01C,\n\xe2\x80\x9cInteroperability and Supportability of Information Technology and National\nSecurity Systems,\xe2\x80\x9d November 20, 2003, establishes policies and procedures for\nthe process to achieve Joint Staff J-6 interoperability and supportability\ncertification. The Joint Staff Instruction also provides additional guidance for\ndeveloping information support plans and establishes procedures for certification\nof requirements in the information support plans. The Joint Staff J-6 must\nrecertify interoperability when material changes such as hardware, firmware, or\nsoftware modifications affect interoperability, and every 3 years when the\ncertifications expire. Establishing system interoperability and supportability is a\ncontinuous process that must be managed throughout the life cycle of the system.\nThis Joint Staff Instruction applies to all information technology and national\nsecurity systems that DoD acquires, procures, or operates. In addition, the Joint\nStaff Instruction states that all information technology and national security\nsystems will be compliant with the Clinger-Cohen Act, DoD interoperability\nregulations and policies, and the guidance for the DoD Information Technology\nStandards Registry.\n\nNavy Policy. Secretary of the Navy Instruction 5000.2B, \xe2\x80\x9cImplementation of\nMandatory Procedures for Major and Non-Major Defense Acquisition Programs\nand Major and Non-Major Information Technology Acquisition Programs,\xe2\x80\x9d\nDecember 6, 1996, states that the Chief of Naval Operations and the Commandant\nof the Marine Corps are responsible for ensuring that the required documentation\nis provided. In addition, the Navy Instruction states that operational requirements\ndocuments must include clearly defined, joint interoperability requirements, or\nstate that joint interoperability is not required. All operational requirements\ndocuments with a command, control, communications, computers and intelligence\nelement will be staffed for a review of impact and interoperability. The Navy\nInstruction further states that operational requirements documents related to\ncommand, control, communications, computers and intelligence will be\nforwarded to the Joint Staff J-6 for interoperability certification.\n\nChief of Naval Operations Instruction 5239.1B, \xe2\x80\x9cNavy Information Assurance\n(IA) Program,\xe2\x80\x9d November 9, 1999, states that the Chief of Naval Operations is\nresponsible for directing implementation of the Navy information assurance\nprogram in coordination with the Assistant Secretary of the Navy (Research,\nDevelopment and Acquisition) and the Deputy Assistant Secretary of the Navy\nfor Command, Control, Communications, Computers, Intelligence and Space\n(formerly the Deputy Assistant Secretary of the Navy for Command, Control,\nCommunications, Computers and Intelligence/Electronic Warfare/Space) in\ncompliance with DoD Instruction 5200.40.\n\nNavy Information Assurance Publication 5239-13, \xe2\x80\x9cInformation Assurance\nCertification and Accreditation,\xe2\x80\x9d December 2000, provides guidance for\nimplementing Chief of Naval Operations Instruction 5239.1B.\n\n\n\n\n                                     10\n\x0cAcquisition Documents\n    The Navy did not fully implement interoperability policies to prepare or update\n    required acquisition documents, such as operational requirements documents;\n    command, control, communications, computers, and intelligence support plans;\n    and system security authorization agreements. In addition, the Navy did not\n    obtain Joint Staff J-6 certification of interoperability requirements. We requested\n    those acquisition documents from Navy program offices for the 40 systems that\n    we selected and reviewed.\n\n    Operational Requirements Documents. The Navy program offices provided\n    the operational requirements documents for 26 of the 40 systems that we selected\n    and reviewed. We reviewed those documents to determine whether the\n    interoperability requirements were key performance parameters that could be\n    measured, tested, and evaluated. Thirteen of the 26 operational requirements\n    documents contained a net-ready, key performance parameter. Navy program\n    offices stated that interoperability was not a key performance parameter in the\n    remaining 13 operational requirements documents. Reasons given were that:\n\n           \xe2\x80\xa2   2 systems had operational requirements documents that were being\n               updated to include interoperability as a key performance parameter,\n\n           \xe2\x80\xa2   2 systems communicated only with the host platform,\n\n           \xe2\x80\xa2   4 systems are part of other systems, and\n\n           \xe2\x80\xa2   5 systems predated the requirement for interoperability certification\n               and have not had any subsequent milestone decisions.\n\n            Operational Requirements Documents not Provided. Navy program\n    offices did not provide operational requirements documents for 14 of the systems\n    that we selected and reviewed. The Navy gave the following reasons for not\n    providing an operational requirements document:\n\n           \xe2\x80\xa2   6 systems predated the requirement for interoperability certification\n               and have not had any subsequent milestone decisions,\n\n           \xe2\x80\xa2   3 systems had operational requirements documents that were being\n               updated to include interoperability as a key performance parameter,\n\n           \xe2\x80\xa2   1 system was not considered an acquisition program,\n\n           \xe2\x80\xa2   2 systems did not have an interoperability requirement, and\n\n    The program offices for the remaining two systems stated that their operational\n    requirements documents were certified for interoperability by the Joint Staff J-6;\n    however, the program offices did not provide those documents for our review.\n\n          Need to Update Requirements Documentation. Although the Nimitz\n    Nuclear Powered Aircraft Carrier (CVN) and both the LHD-1 and\n\n\n                                        11\n\x0cLHD-8 Amphibious Assault Ship programs did not require DoD 5000 series\ndocumentation at their inception, both classes of ships are still being built. In\naddition, the LHD-8 was changed from an Acquisition Category II to an\nAcquisition Category 1C program. At that time, the operational requirements\ndocuments should have been prepared to address interoperability as a key\nperformance parameter.\n\nJoint Staff J-6 Certifications. Navy program offices responded to the survey for\nthe 40 systems that we selected and reviewed and stated that the operational\nrequirements documents for 10 systems were certified for interoperability by the\nJoint Staff J-6. In addition, Joint Staff J-6 interoperability certification was\nplanned or in process for 10 other systems, including 4 that did not have an\noperational requirements document as part of their program documentation. Of\nthe 20 systems that were not certified for interoperability by the Joint Staff J-6:\n\n       \xe2\x80\xa2   4 systems did not require an operational requirements document at\n           program inception;\n\n       \xe2\x80\xa2   8 systems were initiated before the interoperability certification\n           became a requirement;\n\n       \xe2\x80\xa2   6 systems did not have an interoperability requirement, communicated\n           only with the host platform, or were part of another system; and\n\n       \xe2\x80\xa2   2 program offices were unsure whether the operational requirements\n           documents for their systems had been certified for interoperability by\n           the Joint Staff J-6.\n\n         Need to Obtain Interoperability Certifications. Examples of Global\nInformation Grid assets that were initiated before the Joint Staff J-6 was required\nto certify interoperability were the SSN-21 Seawolf Submarine, the DDG-51\nGuided Missile Destroyer, and the LHD-1 and LHD-8 Amphibious Assault Ships.\nExamples of systems that were not Global Information Grid assets, but should\nhave been, that were initiated before Joint Staff J-6 was required to certify\ninteroperability were the CVN-68 Aircraft Carrier and the E-2C Early Warning\nCommand and Control aircraft. The Joint Interoperability Test Command\ncertified the Seawolf Submarine\xe2\x80\x99s AN/BSY-2 Combat Control System as meeting\nsome of its interoperability requirements; however, the Command did not certify\nthe overall system because the operational requirements document lacked\ninteroperability key performance parameters and information exchange\nrequirements. In addition, although the LHD-8 Amphibious Assault Ship, which\nis currently under construction, does not have an operational requirements\ndocument, the program office stated that the Joint Interoperability Test Command\nwill certify the system for interoperability. Interoperability certifications should\nbe obtained to ensure that the systems are interoperable with existing and planned\nsystems of joint, combined, and coalition forces.\n\n\n\n\n                                     12\n\x0cCommand, Control, Communications, Computers, and Intelligence Support\nPlans. Navy program offices provided command, control, communications,\ncomputers, and intelligence support plans for only 17 of the 40 Navy systems that\nwe selected and reviewed. DoD Instruction 4630.8 states that DoD Components\nmust develop a command, control, communication, computers, and intelligence\nsupport plan for all acquisition programs to document the program\xe2\x80\x99s\ninteroperability, information, and support requirements and that the plan be\nmaintained throughout the acquisition life cycle. We did not determine the\nadequacy of the support plans. Navy program offices provided the following\nexplanations for why they did not provide command, control, communications,\ncomputer and intelligence support plans.\n\n       \xe2\x80\xa2   5 systems\xe2\x80\x99 command, control, communications, computers, and\n           intelligence support plan were either planned or being prepared.\n\n       \xe2\x80\xa2   6 systems were initiated before there was a requirement to prepare a\n           command, control, communications, computers, and intelligence\n           support plan;\n\n       \xe2\x80\xa2   10 systems communicated only with the host platform, were part of\n           another system, or interoperability requirements did not apply; and\n\n       \xe2\x80\xa2   1 system was a Commercial-Off-The-Shelf program without\n           milestones or key performance parameters.\n\nThe program office for the remaining system did not give a reason why a\ncommand, control, communications, computers and intelligence support plan was\nnot provided.\n\nAlthough program offices stated that support plans were not prepared because the\nrequirement did not exist at the time the systems were initiated, systems\ncommunicated only with their host platform, or were part of other systems, other\nprogram offices with similar systems prepared the required documentation. A\ncommand, control, communications, computer and intelligence support plan was\nbeing prepared for the E-2C Reproduction Hawkeye Airborne Early Warning\nAircraft, although the requirement was not in effect when the program was\ninitiated. In addition, support plans were prepared for the Remote Airborne Mine\nClearance System and the RIM-162 Evolved Sea Sparrow Missile, although they\ncommunicate only with the host platform, and the Integrated Defensive Electronic\nCountermeasure System, which is part of another system.\n\nSystem Security Authorization Agreements. During our review of 40 Navy\nsystems surveyed, we determined that Navy program managers were not always\npreparing system security authorization agreements for all systems with\ninformation technology requirements. DoD Instruction 5200.40 states that the\nkey to the Defense Information Technology Security Certification and\nAccreditation Process is the agreement between the information technology\nsystem program manager, the designated approving authority, the certification\nauthority, and the user representative to resolve critical schedule, budget, security,\nand performance issues. This agreement is documented in the system security\nauthorization agreement and is used to guide the certification and accreditation\n\n\n                                     13\n\x0c     process. The system security authorization agreement establishes a binding\n     agreement on the level of security required before system development or changes\n     may begin. The Instruction applies to the life cycle of any information\n     technology or information system, the development of new systems, and the\n     upgrade of existing and legacy systems.\n\n             Preparation of System Security Authorization Agreements. Navy\n     program offices provided system security authorization agreements for only 11 of\n     the 40 systems that we selected and reviewed. We did not determine whether the\n     contents of the system security authorization agreements were adequate. Reasons\n     given for not providing system security authorization agreements were:\n\n            \xe2\x80\xa2   11 systems\xe2\x80\x99 security authorization agreements were planned or being\n                prepared;\n\n            \xe2\x80\xa2   12 systems communicate only with the host platform, were part of\n                another system, or interoperability requirements did not apply;\n\n            \xe2\x80\xa2   4 systems were initiated before preparation of a system security\n                authorization agreement became a requirement; and\n\n            \xe2\x80\xa2   1 system had a program security instruction instead of a system\n                security authorization agreement.\n\n     The program office for the remaining system did not give a reason why a system\n     security authorization agreement was not provided.\n\n     The Federal Information Security Management Act, Office of Management and\n     Budget reporting instructions, and the DoD Information Technical Security\n     Certification and Accreditation Process contain requirements for security and\n     security plans. In addition, although program offices provided several reasons for\n     not preparing system security authorization agreements, other program offices\n     with similar system requirements had prepared system security authorization\n     agreements. For example, a system security authorization agreement was\n     prepared for the SSN-21 Seawolf Class Nuclear-Powered Attack Submarine and\n     the Ship Self Defense System, even though the requirement was not in effect\n     when the programs were initiated. In addition, a system security authorization\n     agreement was being prepared for the AN/BQQ-10 Acoustic Rapid Commercial-\n     Off-The-Shelf Insertion, although it is part of another system and communicates\n     only with the host platform.\n\n\nEffect of Not Implementing Interoperability Policies\n     A system should not be excluded from meeting interoperability requirements\n     because the program was initiated before interoperability certification was\n     required. The Chief of Naval Operations and the Assistant Secretary of the Navy\n     (Research, Development and Acquisition) are responsible for ensuring that\n     interoperability requirements of systems are included in the acquisition\n     documents. According to the capstone requirements document for the Global\n\n\n                                         14\n\x0c    Information Grid, the success of the Global Information Grid depends on how\n    well it helps achieve interoperability to allow force-wide sharing of information;\n    however, the capstone requirements document states that some information\n    systems that are already fielded may not support the timely flow of accurate and\n    relevant information needed to meet future joint warfighting needs. In addition,\n    legacy systems are not normally designed to support global end-to end network\n    management or adhere to a prescribed set of interoperability standards for the\n    DoD and intelligence communities. Interoperability requirements should be\n    established for systems that communicate with other systems and certified by the\n    Joint Staff J-6 to better support the DoD vision of a joint force that will attain\n    information superiority and meet future joint warfighting needs. Without\n    management oversight and strict implementation of requirements for acquisition\n    documents, the Navy has no assurance that fielded systems are compatible with\n    existing command, control, communications, computer and intelligence\n    infrastructure of other DoD systems. The systems may not be adequate to meet\n    the information needs; interface requirements; and net-centric, interoperability,\n    and supportability concerns that will enable forces to operate effectively in joint,\n    combined, coalition, and interagency operations.\n\nRecommendations and Management Comments\n    The Deputy Assistant Secretary of the Navy for Command, Control,\n    Communications, Computers, Intelligence and Space concurred with the findings\n    and recommendations. Specific comments on each recommendation follow.\n    B.1. We recommend that the Chief of Naval Operations in coordination with\n    the Assistant Secretary of the Navy (Research, Development and Acquisition)\n    and the Deputy Assistant Secretary of the Navy for Command, Control,\n    Communications, Computers, Intelligence and Space require system\n    program managers to:\n\n           a. Obtain Joint Staff J-6 certification for systems with\n    interoperability requirements that support joint warfighting needs, including\n    systems that were initiated before the interoperability certification became a\n    requirement, systems that are still being built, systems that have undergone\n    major modifications, and systems that are included in the inventory of\n    Global Information Grid assets.\n\n    Navy Comments. The Deputy Assistant Secretary stated that the Department of\n    the Navy is planning to achieve substantial compliance with \xe2\x80\x9cFORCEnet\xe2\x80\x9d\n    technical standards by September 2010, when major portions of the DoD net-\n    centric architecture are expected to be in place for net-centric operations.\n            b. Prepare and use information support plans for all systems with\n    information technology requirements to document interoperability and\n    supportability requirements, or provide written justification stating why an\n    information support plan is not required.\n\n    Navy Comments. The Deputy Assistant Secretary concurred that written\n    justification should be required for any program that does not prepare an\n    Information Support Plan.\n\n                                         15\n\x0c       c. Prepare system security authorization agreements for systems that\nare subject to the DoD Information Technology Security Certification and\nAccreditation Process.\n\nNavy Comments. The Deputy Assistant Secretary stated that a better definition\nof when or what security is required in accordance with DoD Instruction 5100.40\nwas needed to provide common compliance across the Navy. The Deputy\nAssistant Secretary also stated that the Chief Information Officer, Department of\nthe Navy and the Deputy Assistant Secretary of the Navy for Command, Control,\nCommunications, Computers, Intelligence and Space review and assess\ninformation assurance strategies for all major programs prior to milestone\napproval or award of contracts acquiring information technology systems.\nB.2. We recommend that the Chief of Naval Operations in coordination with\nthe Assistant Secretary of the Navy (Research, Development and Acquisition)\nand the Deputy Assistant Secretary of the Navy for Command, Control,\nCommunications, Computers, Intelligence and Space establish specific\naccountability processes to verify that system program managers accomplish\nthe actions specified in Recommendation B.1.\n\nNavy Comments. The Deputy Assistant Secretary stated that accountability\npractices are being conducted but some refinement, clarification, and discipline in\nthe Navy processes may be necessary to ensure that program managers execute\ntheir responsibilities for joint staff certification, information support plans and\nsystem security authorization agreements. The Deputy Assistant Secretary further\nstated that the Navy will continue efforts like the \xe2\x80\x9cFORCEnet\xe2\x80\x9d Implementation\nBaseline and Policy to support existing processes to ensure program managers\nexecute their responsibilities for joint staff certification, information support plans\nand system security authorization agreements when appropriate and notify\nprograms when they are not.\n\n\n\n\n                                      16\n\x0cAppendix A. Scope and Methodology\n    We reviewed documentation dated from December 1965 to June 2004. To\n    accomplish the audit objective, we reviewed:\n\n           \xe2\x80\xa2   the Navy\xe2\x80\x99s efforts to implement interoperability and information\n               assurance requirements during the acquisition process,\n\n           \xe2\x80\xa2   requirements documentation for interoperability and information\n               assurance requirements, and\n\n           \xe2\x80\xa2   applicable criteria.\n\n    We also contacted the staff of the Chief Information Officer, Department of the\n    Navy.\n\n    In addition, we judgmentally selected and reviewed 40 Navy systems from the\n    Office of the Secretary of Defense Test and Evaluation Oversight List. A\n    questionnaire was used to obtain program managers\xe2\x80\x99 perspectives on\n    interoperability and information assurance requirements. We also requested\n    operational requirements documents; command, control, communications,\n    computers, and intelligence support plans; and system security authorization\n    agreements for each system.\n\n    We performed this audit from November 2003 through December 2004 in\n    accordance with generally accepted government auditing standards. We did not\n    review the management control program because the audit focused on the\n    interoperability and information assurance requirements and review processes;\n    therefore, our scope was limited to those specific requirements and processes.\n\n    Government Accountability Office High-Risk Area. The General Accounting\n    Office has identified several high-risk areas in DoD. This report provides\n    coverage of the DoD weapon system acquisition high-risk area.\n\n    Use of Computer-Processed Data. We did not rely on computer-processed data\n    to perform this audit.\n\n\nPrior Coverage\n    During the last 5 years, the Government Accountability Office and the Inspector\n    General of the Department of Defense have issued seven reports addressing\n    interoperability and information assurance requirements for DoD systems.\n    Unrestricted Government Accountability Office and Inspector General of the\n    Department of Defense reports can be accessed at http://www.gao.gov and\n    http://www.dodig.osd.mil/audit/reports, respectively.\n\n\n\n\n                                        17\n\x0cGovernment Accountability Office (GAO)\n     GAO Report No. GAO-04-858, \xe2\x80\x9cDefense Acquisitions \xe2\x80\x93 The Global Information\n     Grid and Challenges Facing its Implementation,\xe2\x80\x9d July 2004\n\n     GAO Report No. GAO-03-329, \xe2\x80\x9cSteps Needed to Ensure Interoperability of\n     Systems That Process Intelligence Data,\xe2\x80\x9d March 2003\n\nInspector General of the Department of Defense (IG DoD)\n     IG DoD Report No. D-2004-008, \xe2\x80\x9cImplementation of Interoperability and\n     Information Assurance Policies for Acquisition of Army Systems,\xe2\x80\x9d October 15,\n     2003\n\n     IG DoD Report No. D-2003-024, \xe2\x80\x9cInformation Assurance Challenges \xe2\x80\x93 An\n     Evaluation of Audit Results Reported From August 23, 2001, through July 31,\n     2002,\xe2\x80\x9d November 21, 2002\n\n     IG DoD Report No. D-2003-011, \xe2\x80\x9cImplementation of Interoperability and\n     Information Assurance Policies for Acquisition of DoD Weapon Systems,\xe2\x80\x9d\n     October 17, 2002\n\n     IG DoD Report No. D-2001-176, \xe2\x80\x9cSurvey of Acquisition Manager Experience\n     using the DoD Joint Technical Architecture in the Acquisition Process,\xe2\x80\x9d August\n     22, 2001\n\n     IG DoD Report No. D-2001-121, \xe2\x80\x9cUse of the DoD Joint Technical Architecture in\n     the Acquisition Process,\xe2\x80\x9d May 14, 2001\n\n\n\n\n                                        18\n\x0cAppendix B. Navy Programs Reviewed\n 1. E-2C Reproduction Hawkeye               21. EX-171 Extended Range Guided\n     Airborne Early Warning Aircraft            Missile\n 2. F/A 18 E/F Super Hornet Naval           22. Rapid Airborne Mine Clearance\n     Strike Fighter                             System\n 3. KC-130J Hercules Tactical Aerial        23. RIM-162 Evolved Sea Sparrow\n     Refueler                                   Missile\n 4. MH-60R Seahawk Multi-Mission            24. Standard Missile-2\n     Helicopter Upgrade                     25. RIM-116A Rolling Airframe\n 5. Multi-Mission Maritime Aircraft             Missile\n 6. V-22 Osprey Joint Advanced              26. AN/ALR-67(V)3 Advanced\n     Vertical Lift Aircraft                     Special Receiver\n 7. CVN 68 Nimitz Class Nuclear-            27. BQQ-10 Acoustic Rapid\n     Powered Aircraft Carriers                  Commercial-Off-The-Shelf\n                                                Insertion\n 8. LHD-8 Amphibious Assault Ship\n                                            28. AN/SPY-1 B/D Aegis Multi-\n 9. LHA (R) Amphibious Assault                  Function Phased-Array Radar\n     Ship\n                                            29. Joint Mission Planning System\n 10. LPD-17 Amphibious Assault Ship\n                                            30. Ship Self Defense System\n 11. SSN-21 Seawolf Class Nuclear-\n     Powered Attack Submarine               31. Tactical Control System\n 12. SSN-774 Virginia Class Nuclear-        32. Expeditionary Fighting Vehicle\n     Powered Attack Submarine               33. Defense Integrated Military\n 13. DDG-51 Guided Missile                      Human Resource System\n     Destroyer                              34. Deployable Joint Command and\n 14. DD (X) Destroyer                           Control\n 15. T-AKE Lewis and Clark Class of         35. Integrated Defensive Electronic\n     Auxiliary Dry Cargo Ships                  Countermeasure\n 16. AGM-84H/K Standoff Land                36. Joint Standoff Weapon\n     Attack Missile \xe2\x80\x93 Expanded                  Baseline/BLU-108/Unitar\n     Response                               37. Navy Standard Integrated\n 17. AARGM/AGM \xe2\x80\x93 88E Advanced                   Personnel System\n     Anti-Radiation Guided Missile          38. Navy-Marine Corps Intranet\n 18. AIM-9X Air-to-Air Missile\n     Upgrade                                39. T-45TS Undergraduate Jet Pilot\n                                                Training System\n 19. MK 48 Torpedo Mods                     40. LHD-1 Amphibious Assault Ship\n 20. Airborne Mine Neutralization\n     System\n\n\n\n\n                                       19\n\x0cAppendix C. Report Distribution\n\nOffice of the Secretary of Defense\nUnder Secretary of Defense for Acquisition, Technology, and Logistics\nUnder Secretary of Defense (Comptroller)/Chief Financial Officer\n   Deputy Chief Financial Officer\n   Deputy Comptroller (Program/Budget)\nAssistant Secretary of Defense for Networks and Information Integration/Chief\n   Information Officer\nDirector, Operational Test and Evaluation\nDirector, Program Analysis and Evaluation\n\nJoint Staff\nDirector, Joint Staff\n   Director for Command, Control, Communication and Computer Systems\n      Directorate (J-6)\n\nDepartment of the Navy\nAssistant Secretary of the Navy (Research, Development and Acquisition)\n  Deputy Assistant Secretary of the Navy for Command, Control, Communications,\n      Computers, Intelligence and Space\nChief of Naval Operations\nChief Information Officer, Department of the Navy\nNaval Inspector General\nAuditor General, Department of the Navy\n\nDepartment of the Air Force\nAuditor General, Department of the Air Force\n\nCombatant Command\nInspector General, U.S. Joint Forces Command\n\nOther Defense Organizations\nDirector, Defense Information System Agency\n   Commander, Joint Interoperability Test Command\n\n\n\n\n                                          20\n\x0cNon-Defense Federal Organization\nOffice of Management and Budget\n\nCongressional Committees and Subcommittees, Chairman and\n  Ranking Minority Member\nSenate Committee on Appropriations\nSenate Subcommittee on Defense, Committee on Appropriations\nSenate Committee on Armed Services\nSenate Committee on Governmental Affairs\nHouse Committee on Appropriations\nHouse Subcommittee on Defense, Committee on Appropriations\nHouse Committee on Armed Services\nHouse Committee on Government Reform\nHouse Subcommittee on Government Efficiency, Financial Management, and\n  Intergovernmental Relations, Committee on Government Reform\nHouse Subcommittee on National Security, Veterans Affairs, and International Relations,\n  Committee on Government Reform\nHouse Subcommittee on Technology and Procurement Policy, Committee on\n  Government Reform\n\n\n\n\n                                          21\n\x0c\x0c  .\nDepartment of the Navy Comments\n\n\n\n\n     MEMORANDUM\n                                     DEPARTMENT\n\n                                RESEARCH. DEYEt.OPIilEKT\n                                                        OF THE NAVY\n                                   OFFICE OI\'TttEASSISTANT\n\n\n\n\n                                             January 18,2005\n                                                                 SECAETARY\n                                                              AND AOOUISITIOtl\n                                             1000 NAVY PENTAGON\n                                         W"\'SHINGT~OO2035(J-1000\n\n\n\n\n                         FOR ODD DEPUTY INSPECTOR GENERAL FOR AUDITING\n\n     SUBJECT: Draft ODD IG Report on Implementation of Interoperability and Information\n                   Assurance Policies for Acquisition of Navy Systems\n\n              We have reviewed the subject audit report and concur overall with its findings aDd\n     recommendations.      We share the Department of Defense (000) concerns about the\n     importance ofinteroperability    and Information Assurance (IA) in our programs, but\n     recorrunend that the survey responses be recognized as including some programs that\n     were initiated as early as 1965. Any response to the findings must be tempered with the\n     realities of timing, resources, and assessment ofretum on investment.\n\n             The Department of the Navy (DON) has been making significant progress in its\n     understanding, interpretation, and implementation ofinteroperability guidelines through\n     its use of our FORCEnet initiative. Much of this is being accomplished through the\n     efforts to develop FORCEnet specifications and standards, compliance checklists,\n     implementation baselines, interoperability assessments, and acquisition policies, all being\n     done in a collaborative ~er      among the Operational, Resourcing and Acquisition\n     communities in the DON.\n\n             AdditionaJly, it should be stated that the DON has been quite clear in its policies\n     concerning interoperability and IA via issuance of Secretary of the Navy and Chief of\n     Naval Operations Instructions and IA publications. OUf FORCEnet implementation\n     policy is now in draft and will be delivered in April 2005. Many of our programs,\n     particularly those in the early phases of the life,          net-ready Key Performance\n     Parameters. The attachment provides 0           ecific commen on the DOD Inspector\n     General recommendations.\n\n\n                                                             3enci\n                                                    Duty Assistant Secreta of the Navy\n                                                     ommand, Control, Communications,\n                                                    Computers, Intelligence and Space\n\n     Attachment:\n     As stated\n\n     Copy to:\n     NavylG\n\n\n\n\n                                                       23\n\x0c                   Department of the Navy (DON) Comments on\n   Draft DOD IG Report on Implementation of Interoperability and Information\n  Assurance Policies for Acquisition of Navy Systems (Project No. D2004AL-OOll)\n\nRECOMMENDATION\n\nA. We recommend that the Assistant Secretary of Defense for Network and\nInformation Integration/Chief Information Officer prepare and staff a DOD\nDirective that specifies the:\n\n     I. Types of systems and system information capability requirements to be\nIncluded in the inventory for Global Information Grid assets.\n\nASN (RDA) RESPONSE: We concur that the DON has not implemented Department of\nDefense (000) policy to populate and maintain the inventory for the Global Infonnation\nGrid (GIG) because the DOD guidance is not clear on the types of systems and systems\ninfonnauon capability requirements that should be included. The DON Chief\nlnfonnauon Officer (CIO) is currently engaged in the partial resolution of the GIG asset\ninventory issue through the creation of the DOD Infonnanon Technology (IT) Program\nRepository, which will catalog systems and applications across the DOD and will also\nserve as the IT systems registry for 000.\n\n       2. Respol1slbUittes of DOD Components in populating and maintaioiog the\ninventory for Global Information Grid assets.\n\nASN (RDA) RESPONSE: The DON CID has for a number of years maintained a\ndatabase of DON mission essential and mission critical IT systems, including those in\nplatforms and weapons systems. A program\'s update of information in this database is\nverified prior to approval of each acquisition milestone and/or prior to award of a contract\nto acquire an IT system.\n\nRECOMMENDATION\n\nB.t. We recommend that the Chief of Naval Operations in coordination with the\nAssistant Secretary ofthe Navy (Research, Development and Acqnisition) and the\nDeputy Assistant Secretary of the Navy for Command, Control, Communications,\nComputers, and IntelligencelElectronic Warfare/Space require system program\nmanagers to:\n\n        a. Obtain Joint Staff J-6 certification for systems with ioteroperability\nrequirements that support joint warfighting needs, including systems that were\ninitiated before the interoperability certification became a requirement, systems\n\n\n\n\n                                           24\n\x0ctbat are still being built, systems that have undergone major modifications, and\nsystems that are included in tbe inventory of Global Information Grid assets.\n\nASN (RDA) RESPONSE: The DON has been quite clear in its policies concerning\ninteroperability and IA via issuance of Secretary of the Navy and Chief of Naval\nOperations Instructions and IA publications. Many of our programs, particularly those in\nthe early phases of the life cycle, have net-ready Key Perfonnance Parameters (KPPs).\nWe would advise caution in requiring interoperabilityKPPs for all programs regardless\nof the program\'s mission and its current place in the life cycle phase. Resources should\nbe allocated to those programs where the return on investment is the greatest. Program\nManagers should advise acquisition officials of the cost of achieving compliance along\nwith associated impact on delivery schedule/quantity or perfonnance risk. In its\nimplementation of FORCEnet programs, the DON is planning to achieve substantial\ncompliance with FORCEnet technical standards by September 20 IO. This is the period\nduring which major portions of the DoD net-centric architecture are expected to be in\nplace to enable net-centric operations. DON acquisitions will accomplish FORCEnet\ncompliance through budget requests, ensuring that appropriate FORCEnet standards are\nused in program development, and demonstration of FORCEnet cornpliance at milestone\nreviews and during developmental and operational testing.\n\n       b. Prepare and use information support plans for all systems. with\ninformation technology requirements to document interoperability and\nsupportability requirements, or provide written justification stating why an\ninformation support plan is not required.\n\nASN (RDA) RESPONSE: We concur that written justification should be required for\nany program that does not prepare an Infonnation Support Plan. In the DON, test and\nevaluation for acquisition programs assesses the system\'s compliance with applicable\ntechnical standards and its ability to function in the applicable Families of\nSystems/Services as dermed in the Information Support Plan (ISP).\n\n       c. Prepare system security authorization agreements for systems tbat are\nsubject to the DOD Information Tecbnology Security Certification and\nAccreditation Process.\n\nASN (RDA) RESPONSE: Better definition ofwhenlwhat security is required in\naccordance with DOD Instruction 51000.40 is needed to provide common compliance\nacross the DON. The DON CIO and the Deputy Assistant Secretary of the Navy for\nCommand, Control, Communications, Computers and Intelligence and Space (DASN\n(C4I/S) review and assess IA Strategies for all major programs prior to milestone\napproval andlor prior to award of contracts acquiring IT systems.\n\n\n\n\n                                             2\n\n\n\n\n                                        25\n\x0cB.l. We recommend      that the Chief of Naval Operations in coordination with the\nAssistant Secretary of the Navy (Research, Development and Acquisition) and the\nDeputy Assistant Secretary ofthe Navy for Command, Control, Communications,\nComputers, and InteUigence/Electronic Warfare/Space establish specific\naccountability processes to verify that system program managers accomplish the\nactions specified in Recommendation B.t.\n\nASN (RDA) RESPONSE: These practices are already being conducted within the DON\ncommunity but some refinement, clarification, and discipline in our processes may be in\norder. We should continue to ensure that program managers execute their responsibilities\nfor joint staff certification, Infonnation Support Plans (ISP) and system security\nauthorization agreements. Funding for bringing systems into compliance with\narchitectures and standards will need to be supported by 000 in future fiscal year budget\nrequests and in current program development and product improvement budgets.\n\n        In summary, we will continue to evolve our efforts like the FORCEnet\nImplementation Baseline (FIBL) and Policy as a means to further infonnation that can\nsupport existing processes to ensure Program Managers execute their responsibilities for\n1-6 certification, ISP, and Systems Security Authorization Agreements (SSAA) when\nappropriate and to formally notify programs when these reports events are not being\nimplemented. Recently, the ASN (RDA) Chief Engineer (CHENG) has engaged in\ndiscussions with Marine Corps Systems Command to better understand practices and\nprocesses they use in development and management ofISP and SSAAs to detennine the\npotential applicability to the Navy enterprise.\n\n       Additionally, the Navy Program Executive Office (C4I and Space) in ajoint effort\nwith U.s. Air Force\'s Electronic Systems Center developed reference architecture,\nimplementation guidance and reusable software components, referred to as Net-centric\nEnterprise Solutions for Interoperability (NESI). The NESI Implementation Framework\nguidance applies to all phases of the acquisition process. The overall goal ofNESI is to\nprovide conunon, cross-service guidance in basic terms for the Program Managers and\ndevelopers of net-centric solutions. NESI was not fonnulated to replace or repeat\nexisting ODD direction/guidance, but rather to help translate into concrete actions the\nwide~ranging mandate contradictory guidance on the topic of net-centric compliance and\nstandards.\n\n        We believe that NESI, when fully implemented, will help programs comply with\nthe DOD net-centric directives, instructions, and other guidance documentation. This\nimtiative will continue to evolve as direction and our understanding of the requirements\nof net-centricity ~volve. We believe that NESt is a useful tool to other DOD Components\nin their quest for net-centricity.\n\n\n\n\n                                            3\n\n\n\n\n                                           26\n\x0c        In closing, we appreciate the efforts of the DOD IG auditors in making their\ninvestigations and assessments on interoperability and infonnation assurance policies for\nacquisition of Navy systems. We would welcome the opportu.nity to update the auditors\non our FlBL, Compliance Checklist, Acquisition Policy (be signed out in April 2005),\nand NESL Since the subject report reflects a snapshot in time, the auditors were unaware\nof efforts that we have now underway and the progress being made by the Navy\'s\nFORCEnet initiative.\n\n\n\n\n                                            4\n\n\n\n\n                                           27\n\x0cTeam Members\nThe Office of the Deputy Inspector General for Auditing of the Department of\nDefense, Acquisition and Technology Management prepared this report.\nPersonnel of the Office of the Inspector General of the Department of Defense\nwho contributed to the report are listed below.\n\nYolanda D. Bailey\nJames A. Hoyt\nPatricia A. Joyner\nNephateria N. Moore\nJacqueline N. Pugh\nChristopher M. Scrabis\nRobert L. Shaffer\nKathryn M. Truex\nZachary M. Williams\n\x0c'